Amazon Relational Database Service (Amazon RDS)

Special Notice About Rotating SSL Certificates

If you are an Amazon RDS customer with RDS database instances in the GovCloud (US)
Region,
you received an email from AWS on May 18, 2017 notifying you about rotating your SSL
certificates. New SSL certification authority (CA) and certificates for RDS database
instances
in the GovCloud (US) Region were made available on May 20, 2017. Action is required
by all RDS
customers who use SSL-secured database connections to maintain connectivity to their
database
instances after the update. The information provided here provides details about the
announcement, explains how to tell if you are affected, and lets you know what you
should do
to maintain connectivity to your database instances.

What is the announcement about?

A new certification authority (CA) for RDS database instances in the GovCloud (US)
Region
has been available since May 20, 2017. Clients connecting to RDS databases must be
updated to
support the new CA, and RDS database instances must be updated to receive a new certificate
from this CA. The current CA expires on August 15, 2017 at 20:00 UTC.

How do I know if my RDS instances are affected?

You are affected if you have database applications that are using SSL to connect to
RDS
for MariaDB, RDS for MySQL, RDS for PostgreSQL, RDS for Oracle, or RDS for SQL Server
database
instances in the GovCloud (US) Region. RDS for Oracle instances that use Native Network
Encryption (NNE) for secure connections are not affected.

This certificate rotation only affects database instances in the GovCloud (US)
Region.

What do I have to do to maintain connectivity?

To maintain connectivity, before August 15, 2017 at 20:00 UTC, you need to update
the CA
certificates your client or application is using to connect to RDS. Follow these steps:

Use the new CA certificates you downloaded in the previous step to update your
database client or application by following the steps on the download page. The
certificate bundle contains certificates for both the old and new CA, so you can upgrade
your application safely and maintain connectivity during the transition period. This
action is specific to the configuration of your client or application.

This step will cause your DB instance to be offline briefly while the certificate
is
swapped. For your RDS instance, choose Modify on the AWS
Management Console (or use the ModifyDBInstance API) to
change the CA from rds-ca-2012-us-gov-west-1 to rds-ca-2017-us-gov-west-1, and then
click
Apply Immediately. This operation will update the SSL
certificates on the RDS instance and initiate a reboot operation to force the new
certificates to take effect. Your instance will be unavailable during this reboot
operation, which typically takes less than two minutes to complete. In some cases,
such as
when a database has a large number of tables, a reboot might take longer. For more
information, see Best
Practices for Amazon RDS.

Note that these steps must be performed before August 15, 2017 at 20:00 UTC. If you
are
unable to complete all three steps by this time, your client or application will be
unable to
connect to your database instance using SSL.

What if I create new instances before August 15,
2017?

Any new database instances created after July 21, 2017 will use the new certificate
(rds-ca-2017) by default. If you want to temporarily modify new instances manually
to use the
old certificates (rds-ca-2012), you can do so by using the AWS Management Console
or the API.
Any instances created prior to July 21, 2017 will have the rds-ca-2012 certificates
until you
update them to the rds-ca-2017 version.

What if I have questions or issues?

If you have questions or issues, contact AWS Support or your Technical Account
Manager (TAM).

The following list details the differences for using this service
in the AWS GovCloud (US) Region compared to other AWS regions:

In the AWS GovCloud (US) Region, all Amazon RDS instances must be launched in an Amazon
VPC.

ITAR Boundary

The ITAR boundary defines
where customers are allowed to store ITAR-regulated data for this service in the AWS
GovCloud (US) Region.
You must comply with the boundaries in order
to maintain ITAR compliance. If you do not have any ITAR-regulated data
in the AWS GovCloud (US) Region, this section does not apply to you.
The following information identifies the ITAR boundary for this service:

ITAR-Regulated Data Permitted

ITAR-Regulated Data Not Permitted

Amazon RDS master passwords are protected as ITAR-regulated data.

All data stored and processed in Amazon RDS database tables can contain
ITAR-regulated data. You cannot transfer ITAR-regulated data in and out of your
Amazon RDS instance using the API or CLI. You must use database tools for data
transfer of ITAR-regulated data.

Amazon RDS metadata is not permitted to contain ITAR-regulated data. This
metadata includes all configuration data that you enter when creating and
maintaining your Amazon RDS instances except the master password.

Do not enter ITAR-regulated data in the following fields:

Database instance identifier

Master user name

Database name

Database snapshot name

Database security group name

Database security group description

Database parameter group name

Database parameter group description

Option group name

Option group description

Database subnet group name

Database subnet group description

Event subscription name

Resource tags

If you are processing ITAR-regulated data with Amazon RDS, follow these guidelines
in order to
maintain ITAR compliance:

When you use the console or the AWS APIs, the only data field that is protected as
ITAR-regulated data is the Amazon RDS Master Password.

After you create your database, change the master password of your Amazon RDS instance
by
directly using the database client.

You can enter ITAR-regulated data into any data fields by using your database
client-side tools. Do not pass ITAR-regulated data by using the web service APIs that
are
provided by Amazon RDS.

To secure ITAR-regulated data in your VPC, set up access control lists (ACLs) to
control traffic entering and exiting your VPC. If you have multiple databases configured
with different ports, set up ACLs on all the ports.

For example, if you're running an application server on an Amazon EC2 instance that
connects to an Amazon RDS database instance, a non-U.S. person could reconfigure the
DNS to
redirect ITAR-regulated data out of the VPC and into any server that might be outside
of the AWS GovCloud (US) Region.

To prevent this type of attack and to maintain ITAR compliance, use network ACLs
to prevent network traffic from exiting the VPC on the database port. For more
information, see Network ACLs in the
Amazon VPC User Guide.

For each database instance that contains ITAR-regulated data, ensure that only
specific CIDR ranges and Amazon EC2 security groups can access the database instance,
especially when an Internet gateway is attached to the VPC. Only allow connections
that
are from the AWS GovCloud (US) Region or other ITAR-controlled environments to ITAR-controlled
database instances.

If you are processing ITAR-regulated data with this service,
use the SSL (HTTPS) endpoint to maintain ITAR compliance.
For a list of endpoints, see AWS GovCloud (US) Endpoints.